CISSP Flashcards: Software Development Security, SDLC, OWASP, Secure Coding

The software development lifecycle, or SDLC, includes requirements gathering where security requirements are defined alongside functional ones, design where threat modeling and architecture review occur, implementation where secure coding practices are followed, testing where security testing including static analysis, dynamic analysis, and penetration testing are performed, deployment where secure configuration and hardening are applied, and maintenance where patches and updates address newly discovered vulnerabilities.

The Open Web Application Security Project Top Ten is a periodically updated list of the most critical web application security risks. It serves as an awareness document and a starting point for secure development. Key entries include broken access control, where users can act beyond their intended permissions; cryptographic failures, where sensitive data is inadequately protected; injection, where untrusted input is sent to an interpreter; and security misconfiguration, where default or incomplete configurations create vulnerabilities.

SQL injection occurs when an attacker inserts malicious SQL code into input fields that are passed directly to a database query without proper validation or sanitization. The attacker can read, modify, or delete database contents, bypass authentication, or execute administrative operations. For example, entering a specially crafted username can modify the login query to return all user records. Prevention requires parameterized queries, also called prepared statements, which separate SQL code from user input.

Cross-site scripting, or XSS, occurs when an attacker injects malicious scripts into web pages viewed by other users. Reflected XSS sends the script in a request and the server reflects it back in the response, typically through a crafted link. Stored XSS permanently stores the script on the server, such as in a forum post, affecting all users who view the page. DOM-based XSS modifies the page's Document Object Model in the browser without server involvement. XSS can steal session cookies, redirect users, or deface pages.

Threat modeling is a structured process for identifying potential security threats to a system and determining appropriate countermeasures. It should be performed during the design phase of the SDLC before code is written, when changes are cheapest to implement. Common methodologies include STRIDE, which categorizes threats as spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege; and DREAD, which rates threats by damage, reproducibility, exploitability, affected users, and discoverability.

Static application security testing, or SAST, analyzes source code, bytecode, or binaries without executing the application, finding vulnerabilities like buffer overflows, injection flaws, and hardcoded credentials early in development. Dynamic application security testing, or DAST, tests the running application by sending crafted inputs and analyzing responses, finding runtime vulnerabilities like authentication flaws, configuration errors, and injection that only manifest during execution. SAST finds more issues earlier but produces more false positives.

Security by design means integrating security considerations into every phase of system and software development from the earliest requirements and architecture decisions rather than adding security controls after the system is built. Core principles include least privilege, defense in depth, fail-safe defaults where the system denies access by default, economy of mechanism keeping designs simple, complete mediation checking every access request, and open design not relying on secrecy of the design for security. ---